Effects of IT on Consideration of Internal Control in a Financial Statement Audit Dr. Donald McConnell Jr. 12/1/2018

The Following Materials Are from Recently Issued SAS No. 94 The Following Materials Are from Recently Issued SAS No. 94. This Information Has a High Probability of Appearing on the CPA Exam in May 2002 and Thereafter. 12/1/2018

Introductory Concepts In obtaining an understanding of internal control [IC], the auditor considers how use of information technology [IT] and manual procedures may affect controls relevant to the audit The auditor must assess control risk for the assertions embodied in account balances or transaction types (319.02) 12/1/2018

Assessing Control Risk at Less Than Maximum Assessing control risk below maximum is ordinarily more effective and efficient than performing only substantive tests This is called a “controls reliance” audit “Controls rely” audits characteristically: Result in relatively lower audit fees Allow the auditor to perform more work at interim 12/1/2018

Assessing Control Risk at Maximum In assessing control risk at maximum: Controls are effectively ignored The auditor performs only substantive tests However, it may may not be practical or possible to restrict detection risk to an acceptable level by performing only substantive tests (319.03) Where evidence of initiation, recording, or processing of data exists only in electronic form, the auditor’s ability to obtain desired assurances only from substantive tests significantly diminishes 12/1/2018

Some Controls May Relate to Objectives Irrelevant to the Audit Though important to the entity, these ordinarily do not relate to the audit process Consequently, these need not be ordinarily considered by the auditor Examples would include: Controls concerning management decision-making processes, e.g. pricing or capital expenditure (cap ex) decisions Sophisticated IT controls to maintain an airline’s flight scheduling (319.12) 12/1/2018

Characteristics of Manual Systems (311.17) Entity uses manual procedures and records in paper format: Mperanually reported sales orders on paper forms or journals Credit authorization, shipping reports, individuals post A/R Controls are also manual: Manual approvals and reviews Manual reconciliations and follow-up 12/1/2018

Characteristics of IT Based Systems (319.17) Automated procedures to initiate, record, process, and report transactions Records in electronic format replace paper purchase orders, invoices, shipping documents, and other records Controls characteristically consist of a combination of automated controls (embedded in programs) and manual controls Manual controls in IT systems may: Be independent of IT Use IT produced information Be limited to monitoring of functioning of IT effectiveness 12/1/2018

Benefits of IT on Internal Controls (319.18) Consistently applied predefined business rules and performance of complex calculations in large volumes of data Enhanced timeliness, availability, and accuracy of information Facilitates additional analysis of information Enhanced ability to monitor performance of activities, policies, and procedures Reduced risk of controls circumvention Enhanced ability to effectively segregate duties through security controls 12/1/2018

Controls Risks Relating to IT (319.19) Systems or programs inaccurately processing data, processing inaccurate data, or both Unauthorized data access may cause: Data destruction or loss unauthorized or nonexistent transactions Inaccurately recorded transactions Unauthorized changes to master files Unauthorized changes to systems or programs Failure to make necessary system or program changes Inappropriate manual intervention 12/1/2018

Inherent Limitations of Internal Controls: IT Perspectives (319.21-22) Errors may occur in designing, maintaining, or monitoring automated controls Errors may occur in use of information produced by IT Program edit routines flagging transactions exceeding certain limits may be overridden or disabled IT personnel may not completely understand how an order entry system should function. Changes may be correctly designed, but improperly coded by programmers Automated controls may report dollar limit violations for management review; however, reviewers may not understand the purpose of such and may fail to properly investigate unusual items. 12/1/2018

Extent of Understanding of Controls Activities Component (311.26) May need only be a limited understanding in auditing a non complex entity with significant owner-manager approval and review May require greater understanding for an entity with a large volume of revenue transactions relying on IT to measure and bill services in a complex, changing rate structure 12/1/2018

Determining Whether an IT Audit Professional Is Needed (319.30-31) Specialized IT skills may be needed in the audit: To determine effects of IT on the audit To understand IT controls To design and perform tests of IT controls, and substantive testing Cannot turn a generic audit senior loose in a complex DP environment excavation! And client DP professional jargon and other IT gibberish! 12/1/2018

Factors to Consider in Determining Need for IT Auditor (319.31-32) Complexity of IT system and related controls Significance of system changes, or new system implementation Extent to which data is shared among systems Extent of electronic commerce transacted Entity use of emerging technologies Significance of audit evidence available only electronically 12/1/2018

IT Controls May Be Viewed As Application Controls and General Controls (319.43-46) Application controls apply to processing of individual applications Examples include edit checks, numerical sequence checks and manual review of exception reports With manual reviews, controls effectiveness depends on both user review and accuracy of report information 12/1/2018

IT Controls May Be Viewed As Application Controls and General Controls (con.) Relate to many applications Are therefore pervasive controls, supporting effective functioning of application controls Examples include: data center and network operations controls System software acquisition and maintenance Access security Segregation of duties often achieved by implementing security controls 12/1/2018

Information and Communication IT Issues (319.50-51) Automated processes & controls: May reduce risk of inadvertent error Do not overcome risk of inappropriate override by persons Their may be little or no visible evidence of system intervention IT non-standard journal entries: May exist only in electronic form May be more difficult to identify than would be the case with printed or paper documents and journals 12/1/2018

Monitoring IT Issues (319.54-55) Characteristically much information used in monitoring produced by IT system Management should not assume data used for monitoring is accurate! [GIGO] GIGO can lead to incorrect management conclusions concerning monitoring 12/1/2018

Documenting Controls Understanding (319.61) Means for documenting controls of complex IT systems where large volumes of data are electronically processed: Flowcharts Questionnaires (ICQ’s) Decision tables Memorandums may be sufficient in documenting controls where little or no use of IT; or where few transactions are could usuallyprocessed 12/1/2018